b'                             OFFICE OF\n                      THE INSPECTOR GENERAL\n\n\n                           U.S. NUCLEAR\n                      REGULATORY COMMISSION\n\n\n\n\n                             Use of E-Mail at NRC\n\n                        OIG-03-A-11 March 21, 2003\n\n\n\n\n                        AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                                March 21, 2003\n\n\n\nMEMORANDUM TO:                  William D. Travers\n                                Executive Director for Operations\n\n\n\nFROM:                           Stephen D. Dingbaum/RA/\n                                Assistant Inspector General for Audits\n\n\nSUBJECT:                        USE OF E-MAIL AT NRC (OIG-03-A-11)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s audit report titled, Use of E-Mail at NRC.\nThis report reflects the results of our review to assess (1) the adequacy of NRC\xe2\x80\x99s process in place\nfor ensuring that appropriate e-mail records become official agency records, (2) the adequacy of\nNRC\xe2\x80\x99s policies and procedures covering the use of its e-mail system, and (3) whether employee\nand contractor usage of the e-mail system is consistent with agency policy.\n\nAudit Results:\n\n\xe2\x80\x9aNRC has not implemented adequate controls for ensuring that appropriate e-mail records\nbecome official agency records. Specifically, the agency has not; updated agency guidance for\nidentifying official records, finalized other documents that will provide valuable information to staff,\nor provided adequate training on these subjects.\n\n\xe2\x80\x9aNRC\xe2\x80\x99s policies and procedures for the personal use of e-mail are effective. NRC contractors,\nhowever, must adhere to a more stringent personal use of e-mail policy and procedures have not\nbeen put into place to ensure contractors follow this policy.\n\n\xe2\x80\x9aNRC employees generally use the e-mail system for official business, or limited personal use in\naccordance with agency policy. In contrast, NRC contractors do not follow the government-\nfurnished information technology equipment usage policy, which prohibits their personal use of\nNRC\xe2\x80\x99s e-mail system. In addition, contracting and project officers neglected to include required\nclauses concerning contractor personal use of information technology equipment in NRC\ncontracts.\n\nAt an exit conference held on March 5, 2003, NRC officials generally agreed with the report\xe2\x80\x99s\nfindings and recommendations. The comments provided at the meeting have been incorporated\ninto the report where appropriate.\n\nIf you have any questions, please contact Beth Serepca, at 415-5911 or me at 415-5915.\n\nAttachment: As stated\n\ncc:     J. Craig, OEDO\n\x0cR. McOsker, OCM/RAM\nB. Torres, ACMUI\nG. Hornberger, ACNW\nG. Apostolakis, ACRS\nJ. Larkins, ACRS/ACNW\nP. Bollwerk III, ASLBP\nK. Cyr, OGC\nJ. Cordes, OCAA\nS. Reiter, CIO\nJ. Funches, CFO\nP. Rabideau, Deputy CFO\nJ. Dunn Lee, OIP\nD. Rathbun, OCA\nW. Beecher, OPA\nA. Vietti-Cook, SECY\nW. Kane, DEDR/OEDO\nC. Paperiello, DEDMRS/OEDO\nP. Norry, DEDM/OEDO\nM. Springer, ADM\nR. Borchardt, NRR\nG. Caputo, OI\nP. Bird, HR\nC. Kelley, Acting SBCR\nM. Virgilio, NMSS\nS. Collins, NRR\nA. Thadani, RES\nP. Lohaus, STP\nF. Congel, OE\nM. Federline, NMSS\nR. Zimmerman, NSIR\nR. Wessman, IRO\nH. Miller, RI\nL. Reyes, RII\nJ. Dyer, RIII\nE. Merschoff, RIV\nOPA-RI\nOPA-RII\nOPA-RIII\nOPA-RIV\n\x0c                                                                               Use of E-Mail at NRC\n\n\nEXECUTIVE SUMMARY\n\n    BACKGROUND\n\n           Electronic mail (e-mail) is the term used to describe the process or result of\n           sending and receiving messages via telecommunication links between computer\n           terminals. E-mail has in many instances replaced the telephone and paper\n           correspondence as the primary and preferred method of business communication\n           because it is convenient, faster and inexpensive to use. While\n           e-mail provides benefits for businesses, it also has risk. For example, important e-\n           mail correspondence is not always preserved, thereby causing records\n           management problems. Inappropriate employee use is another risk when\n           employees access an organization\xe2\x80\x99s e-mail system for personal use.\n\n    PURPOSE\n\n           The objectives of this audit were to assess whether:\n\n                  1.      NRC has an adequate process for ensuring that appropriate items\n                          of e-mail correspondence become official agency records;\n                  2.      NRC has adequate policies and procedures covering the use of its\n                          e-mail system; and\n                  3.      NRC employee and contractor use of the e-mail system is\n                          consistent with agency policy.\n\n    RESULTS IN BRIEF\n\n           NRC has not implemented adequate controls for ensuring that appropriate e-mail\n           records become official agency records. Furthermore, while NRC employees\n           generally use the e-mail system for official business, or limited personal use in\n           accordance with agency policy, contractors do not follow the more stringent\n           e-mail usage policy applicable to them.\n\n           A. E-Mail As Official Agency Records\n\n           NRC management has not updated agency guidance for identifying official records\n           and has not finalized other documents that will provide valuable information to staff.\n           Furthermore, NRC has not provided adequate training to staff on these subjects.\n           As a result, offices approach records management inconsistently and may be\n           failing to capture all relevant record material. Non-compliance with Federal record\n           archiving requirements could cost NRC millions of dollars to recover e-mail records\n           that have not been effectively preserved.\n\n\n\n\n                                             i\n\x0c                                                                                                   Use of E-Mail at NRC\n\n                  B. Personal Use of NRC\xe2\x80\x99s E-Mail System\n\n                  NRC\xe2\x80\x99s policies and procedures covering personal use of the e-mail system are\n                  generally effective for employees. Approximately 82 percent of the 2,718 items of\n                  e-mail correspondence reviewed during this audit was for official business.\n                  Approximately 18 percent of the e-mail correspondence was of a personal nature,\n                  but did not violate minimal-use limits prescribed by NRC policy. None of the 2,718\n                  items of e-mail correspondence reviewed for this audit contained inappropriate or\n                  prohibited material.1\n\n                  In contrast, NRC contractors do not follow the policies applicable to them.\n                  Contractors mistakenly believe that the employee minimal-use policy applies to\n                  them rather than the more stringent, but less publicized, contractor-use policy,\n                  which prohibits their use. In addition, contracting and project officers neglected to\n                  include required clauses concerning contractor personal use of information\n                  technology equipment in NRC contracts. As a result, contractors are not in\n                  compliance with NRC policy, which was written to avoid recurrences of instances\n                  of inappropriate use of government-furnished information technology equipment by\n                  contractors.\n\n         RECOMMENDATIONS\n\n                  The consolidated list of recommendations made to the Executive Director of\n                  Operations is on page 13.\n\n\n\n\n         1\n          While no inappropriate or prohibited material, such as pornography or gambling, was found in the audit\nsample, isolated instances could exist.\n\n                                                           ii\n\x0c                                                                  Use of E-Mail at NRC\n\n\nABBREVIATIONS AND ACRONYMS\n\n    ADAMS     Agencywide Documents Access and Management System\n    e-mail    electronic mail\n    IT        information technology\n    MD 2.7    Management Directive and Handbook 2.7\n    MD 3.53   Management Directive and Handbook 3.53\n    NARA      National Archives and Records Administration\n    NRC       U.S. Nuclear Regulatory Commission\n    OCIO      Office of the Chief Information Officer\n    OIG       Office of the Inspector General\n\n\n\n\n                                        iii\n\x0c                                   Use of E-Mail at NRC\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              iv\n\x0c                                                                                                             Use of E-Mail at NRC\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n    ABBREVIATIONS AND ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii\n    I.       BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n    II.      PURPOSE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n    III.     FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n             A.         E-MAIL AS OFFICIAL AGENCY RECORDS . . . . . . . . . . . . . . . . . . . . . . . . 2\n             B.         PERSONAL USE OF NRC\xe2\x80\x99S E-MAIL SYSTEM . . . . . . . . . . . . . . . . . . . . . 5\n    IV.      CONSOLIDATED LIST OF RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . 9\n    V.       AGENCY COMMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n\n\n    APPENDIX\n    A.       SCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n\x0c                                   Use of E-Mail at NRC\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              vi\n\x0c                                                                            Use of E-Mail at NRC\n\n\nI.    BACKGROUND\n\n         Electronic mail (e-mail) is the term used to describe the process or result of\n         sending and receiving messages via telecommunications links between computer\n         terminals. E-mail has in many instances replaced the telephone and paper\n         correspondence as the primary and preferred method of business communication\n         because it is convenient, faster and inexpensive to use. While\n         e-mail provides benefits for businesses, it also has risk. For example, important e-\n         mail correspondence is not always preserved, thereby causing records\n         management problems. Inappropriate employee use is another risk when\n         employees have been given permission to access an organization\xe2\x80\x99s\n         e-mail system for personal use.\n\n         Official Records\n\n         In the Federal Government, e-mail exchanges that lead to official action are part of\n         agencies\xe2\x80\x99 official records and such correspondence must be preserved so that\n         interested parties can follow the decisionmaking process and ascertain the intent\n         behind decisions. Federal agencies are required to comply with regulations\n         governing records management issued by the National Archives and Records\n         Administration (NARA). The NARA regulations require adequate and proper\n         documentation of the organization, functions, policies, decisions, procedures, and\n         essential transactions of the agency.\n\n         Personal Use of E-Mail\n\n         NRC\xe2\x80\x99s policy governing employee personal use of e-mail, stated in Management\n         Directive and Handbook 2.7 (MD 2.7), Personal Use of Information Technology,\n         defines acceptable conditions for NRC employees\xe2\x80\x99 personal use of information\n         technology (IT). This policy is based on the model recommended by the Federal\n         Chief Information Officers Council, an interagency forum established by Executive\n         Order to improve agency practices for managing information technology. The\n         Federal Chief Information Officers Council model recommends that Federal\n         employees be permitted limited use of information technology, including e-mail, if\n         the use does not interfere with official business and involves minimal additional\n         expense to the Government.\n\n\nII.   PURPOSE\n\n         The objectives of this audit were to assess whether:\n\n                1.      NRC has an adequate process for ensuring that appropriate items\n                        of e-mail correspondence become official agency records;\n                2.      NRC has adequate policies and procedures covering the use of its\n                        e-mail system; and\n                3.      NRC employee and contractor use of the e-mail system is\n                        consistent with agency policy.\n\n                                           1\n\x0c                                                                              Use of E-Mail at NRC\n\n\nIII.   FINDINGS\n\n            NRC needs to improve its controls for ensuring that appropriate items of e-mail\n            correspondence become official agency records. Furthermore, while NRC\n            employees generally use the e-mail system for official business or limited personal\n            use in accordance with agency policy, contractors do not follow the more stringent\n            e-mail usage policy, which prohibits their use. Specifics on these matters are\n            described in the following sections.\n\n\n       A. E-MAIL AS OFFICIAL AGENCY RECORDS\n\n            NRC has not implemented adequate controls to ensure that appropriate items of e-\n            mail correspondence become official agency records. NRC has not updated\n            agency guidance for identifying official records and has not finalized other\n            documents that will provide valuable information to staff. Furthermore, the agency\n            has not provided adequate training to staff on these subjects. As a result, offices\n            approach records management inconsistently and may be failing to capture all\n            relevant record material. Non-compliance with Federal record archiving\n            requirements could cost NRC millions of dollars to recover e-mail records that have\n            not been effectively preserved.\n\n            Policy on Official Agency Records\n\n            Management Directive and Handbook 3.53 (MD 3.53), NRC Records Management\n            Program, specifies NRC\xe2\x80\x99s policy, objectives, and organizational responsibilities\n            and delegations of authority pertaining to records management. MD 3.53\n            specifies that:\n\n            \xe2\x80\x9a      The Office of the Chief Information Officer (OCIO) is responsible for\n                   developing and maintaining procedures for the organization, maintenance,\n                   use, and disposition of all NRC official records;\n\n            \xe2\x80\x9a      NRC offices must have a designated Records Liaison Officer who\n                   administers records management policies, procedures, and programs to\n                   ensure that NRC\xe2\x80\x99s file maintenance system is being implemented within\n                   their offices; and\n\n             \xe2\x80\x9a     NRC employees and contractors must preserve the official records that\n                   they create, receive, or access in accordance with MD 3.53.\n\n            The criteria for determining which e-mail correspondence should be maintained as\n            official agency records are the same that applies for every other type of media.\n            Electronic record material includes e-mail correspondence concerning agency\n            business \xe2\x80\x94 its functions, policies, decisions, procedures, and operations \xe2\x80\x94 or\n            other activities of the Government. Furthermore, e-mail record material could\n            include correspondence pertaining to policy, rationale for a decision, sense of\n            direction, or guidance above and beyond that documented in the official files. An\n\n                                             3\n\x0c                                                                                                 Use of E-Mail at NRC\n\n                  e-mail from one NRC manager to another approving funding for a program\n                  represents an example of correspondence that should be saved as a record. In\n                  contrast, non-record material includes extra copies of documents kept for\n                  convenience of reference and informal e-mail messages from an individual to other\n                  individuals in the agency that do not relate to agency business.\n\n                  Agency Guidance\n\n                  MD 3.53 is incomplete because it fails to describe NRC\xe2\x80\x99s current methods for\n                  preserving e-mail records in the Agencywide Documents Access and Management\n                  System (ADAMS). ADAMS became an official recordkeeping system on April 1,\n                  2000. Last revised in June 1995, MD 3.53 lacks any reference to the role of\n                  ADAMS. According to the ADAMS Desk Reference Guide, employees are to\n                  identify which e-mails constitute official agency records and then follow the\n                  necessary steps to place the e-mails into ADAMS. The ADAMS Desk Reference\n                  Guide states that the e-mail message, its transmission and receipt data, and any\n                  attachments to the message are to be preserved. Yet, MD 3.53 contains no\n                  information about e-mail procedures specifically relevant to ADAMS.\n\n                  Draft Guidance\n\n                  While MD 3.53 holds OCIO responsible for developing and maintaining procedures\n                  for managing official records, the office has yet to finalize guidance it drafted and\n                  circulated for review. This comprehensive guidance is contained in a collection of\n                  documents2 that describe office responsibilities and quality assurance procedures\n                  for ensuring that offices maintain complete record collections. On May 22, 2002,\n                  OCIO distributed these documents to NRC headquarters management officials,\n                  whose offices are responsible for the largest record collections that reside in\n                  ADAMS, and requested their feedback. On\n                  June 6, 2002, OCIO distributed these documents to NRC regional office\n                  management officials and also requested their feedback. While OCIO received\n                  and incorporated feedback, OCIO has not finalized this package or issued it to all\n                  offices as planned.\n\n                  Records Management Web Site\n\n                  OCIO has developed, but not fully deployed, an extensive records management\n                  Web site to assist staff in identifying official agency records. NRC\xe2\x80\x99s records\n                  management Web site will describe employee responsibilities for official records\n                  and include links to other sources of related guidance, including key NRC\n                  management directives and NARA\xe2\x80\x99s database. Although access to the Web site\n                  was provided to one NRC office during a special training session requested by that\n                  office, the link is not yet available on NRC\xe2\x80\x99s internal home page for agencywide\n                  use.\n\n         2\n          Titles include, NRC Office Responsibilities for Ensuring the Integrity of Agency Record Collections; Records\nManagement Guideline No. 02-02, Responsibilities of Records Liaison Officers in the ADAMS Environment; Records\nLiaison Officers; and Sample Searches for Monitoring ADAMS Document Input Based On Organizational Structure and\nDocument Type.\n\n                                                          4\n\x0c                                                                   Use of E-Mail at NRC\n\n\nRecords Management Training\n\nNRC does not provide adequate training for records management to the agency\nstaff. NRC employees have expressed concern that staff need clearer direction\nand training to better determine which items of e-mail correspondence need to be\nsaved as official agency records. For example, Records Liaison Officers advised\nthat employees have varying levels of understanding about which e-mails should\nbe saved. In addition, Records Liaison Officers, who are required by MD 3.53 to\nadminister records management procedures, have received only limited training on\nthe subject.\n\nE-Mail Purge\n\nAlthough the NRC Network Operations Center performs an agency e-mail purge\nevery 180 days and notifies system users in advance of this procedure, the agency\nhas not taken these opportunities to clearly communicate specific information on\nthe preservation of record e-mails. While the e-mail purge notification reminds\nemployees of their requirement to meet NARA and NRC regulations, it fails to\nspecifically indicate:\n\n\xe2\x80\x9a      where to review NRC policy and procedures identifying which records\n       should be preserved as official agency records,\n\xe2\x80\x9a      how to archive documents,\n\xe2\x80\x9a      where to review NARA requirements, and\n\xe2\x80\x9a      how to save e-mail as official agency records.\n\nSpecific guidance on how to fulfill these requirements is located in MD 3.53, the\nGroupwise training manual, and the ADAMS Desk Reference Guide.\n\nManagement Priorities\n\nOCIO management and staff explained that a primary reason for failing to finalize\ndraft documents or clarify guidance identifying records management control\nactivities is because these projects have not been office priorities. According to an\nOCIO manager and staff, limited resources restrict their ability to complete the\nrevisions to MD 3.53, correct Web site links, and offer training.\n\nE-Mail Recovery Costs\n\nNon-compliance with Federal record archiving requirements could cost NRC\nmillions of dollars to recover e-mail records that have not been effectively\npreserved. An inconsistent approach to records management may cause a failure\nto capture all relevant record material. GAO Report, Clinton Administration\xe2\x80\x99s\nManagement of Executive Office of the President\xe2\x80\x99s E-Mail System, GAO-01-446,\nApril 2001, found that the Executive Office of the President did not implement\nadequate records management controls to ensure that all e-mail records generated\n\n\n\n\n                                  5\n\x0c                                                                                                   Use of E-Mail at NRC\n\n                  or received were preserved in accordance with applicable law and best practices.\n                  Several factors including, records management practices and miscommunication,\n                  contributed to the expected cost to restore omitted e-mail records, estimated to be\n                  $11.7 million.\n\n                  Summary\n\n                  NRC has not implemented adequate controls for records management.\n                  Management attention to the completion of tasks currently underway will help\n                  ensure that appropriate e-mail records become official agency records and could\n                  help NRC avoid incurring substantial costs that may result if the agency has to re-\n                  create official agency records.\n\n         RECOMMENDATIONS:\n\n                  OIG recommends that the Executive Director for Operations:\n\n                  1.       Revise Management Directive and Handbook 3.53, NRC Records\n                           Management Program, to include current information about ADAMS.\n\n                  2.       Finalize and implement the guidance identifying office responsibilities for\n                           records management.\n\n                  3.       Finalize the records management Web site.\n\n                  4.       Develop and require records management training for Records Liaison\n                           Officers.\n\n                  5.       Develop and offer records management training for NRC staff.\n\n                  6.       Revise the network announcement regarding the e-mail purge to include\n                           links to records management guidance.\n\n\n         B. PERSONAL USE OF NRC\xe2\x80\x99S E-MAIL SYSTEM\n\n                  NRC\xe2\x80\x99s policies and procedures covering personal use of e-mail are generally\n                  effective for employees. Approximately 82 percent of the 2,718 items of e-mail\n                  correspondence reviewed during this audit was for official business. Approximately\n                  18 percent of the e-mail correspondence was of a personal nature, but was within\n                  the minimal-use limits prescribed by NRC policy. None of the 2,718 items of e-mail\n                  correspondence reviewed contained inappropriate or prohibited material.3\n\n\n\n\n         3\n          While no inappropriate or prohibited material, such as pornography or gambling, was found in the audit\nsample, isolated instances could exist.\n\n                                                           6\n\x0c                                                                     Use of E-Mail at NRC\n\nIn contrast, NRC contractors do not follow the policies applicable to them.\nContractors mistakenly believe that the employee minimal-use policy applies to\nthem rather than the more stringent, but less publicized, contractor-use policy,\nwhich prohibits their use. In addition, contract and project officers neglected to\ninclude required clauses concerning contractor personal use of IT equipment in\nNRC contracts. As a result, contractors are not in compliance with NRC policy,\nwhich was written to avoid recurrences of instances of inappropriate use of\ngovernment-furnished IT equipment by contractors.\n\nNRC Policy\n\nMD 2.7, Personal Use of Information Technology, defines acceptable conditions\nfor NRC employees\xe2\x80\x99 personal use of IT, including e-mail. The policy and guidance\nin MD 2.7 do not apply to NRC contractors. Personal use of e-mail by NRC\nemployees is permitted when such use:\n\n\xe2\x80\x9a      involves minimal or no additional expense to the Government,\n\xe2\x80\x9a      is performed during employee non-work time,\n\xe2\x80\x9a      does not interfere with NRC\xe2\x80\x99s mission or operation,\n\xe2\x80\x9a      does not violate Federal Government Standards of Ethical Conduct, and\n\xe2\x80\x9a      is not prohibited by law.\n\nMD 2.7 also affirms that personal use of agency IT is a privilege, not a right.\nEmployees should not have the expectation of privacy while using agency IT\nsystems. By using such systems, employees imply their consent to disclosing the\ncontents of any files or information maintained in the systems. NRC\xe2\x80\x99s policy for the\nautomated information systems security program requires that managers inform\nsystem users that their activities on the system are subject to monitoring. NRC\ncomputer systems are configured to display a warning banner to users upon first\naccessing NRC automated information resources. By clicking \xe2\x80\x9cok\xe2\x80\x9d to clear the\nwarning banner that appears upon login, users give consent to the monitoring of\ntheir activities and acknowledge awareness that violation of security regulations or\nunauthorized uses of NRC computer systems is subject to criminal prosecution\nand/or disciplinary action. In addition, NRC employees are required to take an\nonline computer security awareness course that contains a module on personal\nuse of Government equipment.\n\nTo prevent contractor abuse of IT equipment, NRC issued a new procurement\ninstruction, which clarifies specific contractor responsibilities when utilizing NRC-\nfurnished IT equipment, services, or access. DCPM Instruction 02-01, issued\nMarch 4, 2002, specifically prohibits personal use of e-mail by contractors. The\npolicy was written to reinforce the fact that MD 2.7 does not apply to NRC\ncontractors. DCPM Instruction 02-01 states that the contractor must be held\nresponsible for monitoring its employees, consultants, and subcontractors to\nensure that NRC-furnished IT equipment and/or IT access are not used for\npersonal use, misused, or used without proper authorization. To implement this\npolicy, NRC\xe2\x80\x99s Division of Contracts requires inclusion of the clause entitled,\n\n\n\n\n                                   7\n\x0c                                                                                              Use of E-Mail at NRC\n\n                 \xe2\x80\x9cAppropriate Use of Government Furnished Information Technology (IT) Equipment\n                 and/or IT Services /Access (March 2002),\xe2\x80\x9d in all solicitations/contracts or delivery\n                 orders that allow contractor staff access to NRC IT equipment and services.\n\n                 E-Mail Activity at NRC\n\n                 OIG reviewed approximately 3,000 e-mail messages sent by 183 system users\n                 over a 3-day period4 in October 2002 and found that none of the messages\n                 contained inappropriate content (e.g., sexually explicit materials or materials\n                 related to gambling, illegal weapons, terrorist activities, or \xe2\x80\x9cfor-profit\xe2\x80\x9d business\n                 activity). Of the e-mail messages sent, approximately 82 percent was related to\n                 NRC business. The remaining 18 percent of the e-mail correspondence was\n                 personal messages. All employee personal e-mail messages were in accordance\n                 with NRC policy. In addition, OCIO management stated that the agency set a limit\n                 on the file size of e-mail and attachments to prevent situations where large files can\n                 degrade network performance.\n\n                 Personal Use of E-Mail\n\n                 While personal use of the e-mail system was minimal and legal, both contractors\n                 and NRC staff did not always follow the agency policy and procedures contained in\n                 DCPM Instruction 02-01, which prohibits personal use of e-mail by contractors. In\n                 a judgmental sample of eight contractors with e-mail accounts, all used the\n                 e-mail system for personal use. In addition, 4 of 10 contracts that were executed\n                 after March 2002, and required the clause prohibiting contractor employees\n                 personal use of e-mail, did not contain the required clause.\n\n                 Based on discussions with contractor employees, OIG concluded that contractors\n                 used the e-mail system for personal use because they were unaware that such use\n                 was prohibited. The contractor employees were familiar with NRC policy allowing\n                 limited employee personal use of the NRC e-mail system. The contractors were\n                 aware of MD 2.7 from a recent agencywide network announcement and presumed\n                 that the personal use policy pertained to them.\n\n                 In addition, staff did not ensure that required language specific to contractor use of\n                 IT equipment or services appears in NRC contracts. For example, project officers\n                 did not ensure that the required clause restricting contractor staff access to NRC IT\n                 equipment/services was included in the statements of work for such contracts.\n                 Contract officers also neglected to place the \xe2\x80\x9cAppropriate Use of Government\n                 Furnished Information Technology (IT) Equipment and/or IT Services /Access\xe2\x80\x9d\n                 clause in several bid solicitations and/or contracts.\n\n\n\n\n        4\n          As context, during a 1-week period in October 2002, which contained the 3 days sampled, NRC employees\nsent 48,243 and received 114,294 e-mail messages.\n\n                                                        8\n\x0c                                                                 Use of E-Mail at NRC\n\nPersonal use of the e-mail system by contractor employees is inconsistent with\nagency policies. Despite specific language in MD 2.7 that excludes contractors\nfrom the employee personal use policy and in DCPM Instruction 02-01 that\nprohibits contractor personal use of the e-mail system, contractors use the e-mail\nsystem for personal use. Furthermore, because staff has not fully implemented\noffice procurement policy and procedures, contractor employees are non-compliant\nwith NRC policy.\n\nSummary\n\nNRC policies for personal use of e-mail are generally effective for employees,\nhowever, contractors do not follow the NRC policy prohibiting contractor personal\nuse of NRC\xe2\x80\x99s e-mail system. Because staff did not ensure that required language\nspecific to contractor use of IT equipment or services appears in NRC contracts,\nNRC has not fully implemented the measures written to prevent such use.\n\nRECOMMENDATIONS:\n\nOIG recommends that the Executive Director for Operations:\n\n7.     Develop a procedure that will implement the policy prohibiting contractor\n       personal use of NRC-furnished information technology equipment.\n\n8.     Modify the contracts requiring NRC-furnished information technology\n       equipment with the needed clause that prohibits contractor use of such\n       equipment.\n\n\n\n\n                                 9\n\x0c                                                                             Use of E-Mail at NRC\n\nIV.   CONSOLIDATED LIST OF RECOMMENDATIONS\n\n          OIG recommends that the Executive Director for Operations:\n\n          1.     Revise Management Directive and Handbook 3.53, NRC Records\n                 Management Program, to include current information about ADAMS.\n\n          2.     Finalize and implement the guidance identifying office responsibilities for\n                 records management.\n\n          3.     Finalize the records management Web site.\n\n          4.     Develop and require records management training for Records Liaison\n                 Officers.\n\n          5.     Develop and offer records management training for NRC staff.\n\n          6.     Revise the network announcement regarding the e-mail purge to include\n                 links to records management guidance.\n\n          7.     Develop a procedure that will implement the policy prohibiting contractor\n                 personal use of NRC-furnished information technology equipment.\n\n          8.     Modify the contracts requiring NRC-furnished information technology\n                 equipment with the needed clause that prohibits contractor use of such\n                 equipment.\n\n\n\n\n                                           10\n\x0c                                                                         Use of E-Mail at NRC\n\nV.   AGENCY COMMENTS\n\n        At an exit conference held on March 5, 2002, NRC officials generally agreed with\n        the report\xe2\x80\x99s findings and recommendations. While agency officials chose not to\n        provide a formal written response for inclusion in the report, they did provide\n        editorial suggestions, which have been incorporated where appropriate.\n\n\n\n\n                                        11\n\x0c                                                                      Use of E-Mail at NRC\n                                                                               Appendix A\n\nSCOPE AND METHODOLOGY\n\n        OIG reviewed the employee and contractor use of e-mail at NRC. To accomplish\n        the audit objectives, OIG reviewed NRC Management Directives, office guidance,\n        OIG reports, and outside agency documents. Auditors interviewed NRC contractor\n        employees to determine their understanding of the personal use policy; Records\n        Liaison Officers to gain insight on records management policies; NRC managers;\n        and other staff. OIG performed an analysis of approximately 3,000 e-mail\n        messages that NRC employees and contractors sent during a 3-day period in\n        October 2002 to determine whether the messages were within established\n        guidelines.\n\n        This work was conducted from September 2002 through December 2002 in\n        accordance with generally accepted Government auditing standards and included\n        a review of management controls related to the objectives of the audit.\n\n        The major contributors to this report were Beth Serepca, Acting Team Leader;\n        Vicki Foster, Management Analyst; and Rebecca Underhill, Management Analyst.\n\n\n\n\n                                      12\n\x0c'